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5 FAM 760 
CLASSIFICATION OF WEB BASED 

DOCUMENTS 

(CT:IM-121; 10-14-2011) 
(Office of Origin: IRM/BMP/GRP/GP) 

5 FAM 761 TYPES OF NETWORKS 

(CT:IM-112; 02-01 -201 1 ) 

There are two types of networks for general Department use: 

(1) OpenNet is an intranet with a portal to the Internet to include 
Email. OpenNet use is restricted to unclassified or sensitive but 
unclassified information. 

(2) ClassNet is a classified intranet which is not connected to the 
Internet, but is connected to SIPRNet and POEMS. ClassNet may 
process unclassified information, classified information up to and 
including SECRET, and information that has distribution restrictions. 
However, no Sensitive Compartmented Information (SCI) will be 
processed on ClassNet. 

5 FAM 762 CLASSIFICATION MARKING 

(CT:IM-112; 02-01 -201 1 ) 

a. The requirements of E.O. 13526 concerning classified information apply to 
all physical formats and document types, including web pages and e- 
mails. Marking the classification of each portion is particularly important 
for CLASSNET web postings, including unclassified portions, because 
users may copy or paraphrase information from web sites in new 
documents that require the correct derivative classification markings. 
Refer to the definition of "information" in E.O. 13526, PART 6 Sec. 6.1. 
Refer to the Department of State Classification Guide on CLASSNET 
exclusively and the A/GIS/IPS website for details on determining 
classification and classification markings. 

b. 5 FAH-8 H-450 contains sample codes that can be used to ensure 
classified Web pages are properly marked for both display and printing. 

5 FAM 763 HANDLING PROTECTED 
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INFORMATION IN THE INFORMATION 
SHARING ENVIRONMENT (ISE) 

5 FAM 763.1 General 

5 FAM 763.1-1 Purposes 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. An Information Sharing Environment (ISE) has been created by Executive 
Order 13388 and Congressional statute to promote and improve the 
sharing of terrorism-related information. Executive Order 13388, "Further 
Strengthening the Sharing of Terrorism Information to Protect 
Americans," requires Federal agencies to give the highest priority to the 
interchange of terrorism information, while protecting the information 
privacy and other legal rights of Americans. 

b. The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), 
section 1016(d), as amended, calls for the issuance of guidelines to 
protect privacy and civil liberties in the development and use of 
information sharing activities. In December 2006, pursuant to IRTPA, the 
Program Manager for the ISE (PM-ISE) released a set of privacy 
guidelines, entitled Guidelines to Ensure that the Information Privacy and 
Other Legal Rights of Americans are Protected in the Development and 
Use of the Information Sharing Environment (hereinafter "ISE Privacy 
Guidelines"). 

c. The ISE Privacy Guidelines require U.S. Government departments and 
agencies to designate an "ISE Privacy Official" to directly oversee 
implementation of the Guidelines. Each Federal agency that is part of the 
ISE must also develop an ISE Privacy Protection Policy. 

d. The policy articulated herein sets forth the ISE Privacy Protection Policy 
for the Department of State and governs how the Department 
disseminates protected information within the ISE. This ISE Privacy Policy 
is consistent with the Department's existing privacy policies required by 
other mandates, including the Privacy Act of 1974, as amended. 

5 FAM 763.1-2 Scope 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. This policy applies to all Department of State personnel, as well as 

vendors, contractors, researchers, grant recipients, and others who have 
access to Department of State information or systems. 
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b. Specifically, the policy applies to information that: 

(1) Concerns U.S. persons as defined as "individual" by the Privacy Act 
of 1974; 

(2) Is subject to information privacy or other legal protections under 
the Constitution and Federal laws of the United States; 

(3) Is terrorism-related information as defined by Section 1016(a)(5), 
IRTPA, as amended; and 

(4) May be shared within the ISE among all levels of Federal, State, 
local, and tribal Government, with the private sector, and 
potentially with foreign partners. 

c. This policy may also apply to other information that the U.S. Government 
expressly determines by executive order, international agreement, or 
other similar instrument should fall into this category. 

5 FAM 763.1-3 Authorities 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

Authorities pertaining to the ISE include: 

(1) OMB Memorandum M-05-08 dated February 11, 2005; 

(2) Privacy Act of 1974, (5 U.S.C. 552a), as amended; 

(3) E-Government Act of 2002, Public Law 107-347; 

(4) The Intelligence Reform and Terrorism Prevention Act of 2004 
(IRTPA), Public Law 108-458; 

(5) The Implementing Recommendations of the 9/11 Commission Act of 
2007, Public Law 110-53; 

(6) Executive Order 12333 (United States Intelligence Activities), as 
amended by Executive Orders 13284 (2003), 13355 (2004), and 
13470 (2008); 

(7) Executive Order 13388 (Further Strengthening the Sharing of 
Terrorism Information to Protect Americans); 

(8) Presidential Decision Directive (PDD) 63, May 22, 1998; 

(9) OMB Circular A-130, Appendix I, February 8, 1996; and 

(10) Presidential Memorandum to Heads of Executive Departments and 
Agencies, Guidelines and Requirements in Support of the 
Information Sharing Environment, December 2005 

5 FAM 763.1-4 Definitions 
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(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

Breach - The loss of control, compromise, unauthorized disclosure, 
acquisition, access, or any similar term referring to situations in which 
persons other than authorized users, for an other than authorized 
purpose, have access or potential access to PII, whether physical or 
electronic. 

Civil liberties - fundamental individual rights such as freedom of speech, 
press, or religion; due process of law; and other limitations on the power 
of the Government to restrain or dictate the actions of individuals. They 
are the freedoms that are guaranteed by the Bill of Rights— the first ten 
Amendments— to the Constitution of the United States. Civil liberties offer 
protection to individuals from improper Government action and arbitrary 
Governmental interference (as defined by the ISE Frequently Asked 
Questions. 

Civil rights- those rights and privileges of citizenship and equal protection 
that the State is constitutionally bound to guarantee all citizens 
regardless of race, religion, sex, or other characteristics unrelated to the 
worth of the individual. Protection of civil rights imposes an affirmative 
obligation upon Government to promote equal protection under the law. 
These civil rights to personal liberty are guaranteed to all U.S. citizens by 
the Thirteenth and Fourteenth Amendments and by acts of Congress. 
Generally, the term civil rights involves positive (or affirmative) 
Government action to protect against infringement (as defined by the ISE 
Frequently Asked Questions). 

Homeland security information - homeland security information (defined 
by the Homeland Security Act of 2002, Public Law 107-296, Section 
892(f)(1) (codified at 6 U.S.C. 482(f)(1)) is defined as information 
derived from or possessed by a State, local, tribal, or Federal agency 
that: 

(1) Relates to a threat of terrorist activity; 

(2) Relates to the ability to prevent, interdict, or disrupt terrorist 
activity; 

(3) Would improve the identification or investigation of a suspected 
terrorist or terrorist organization; or 

(4) Would improve the response to a terrorist act. 

(5) Law enforcement information - is defined in the ISE Awareness 
Training and means any information obtained by or of interest to a 
law enforcement agency or official that is both: 

(a) Related to terrorism or the security of our homeland; and 
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(b) Relevant to a law enforcement mission, including but not 
limited to: 

• Information pertaining to an actual or potential criminal, 
civil, or administrative investigation or a foreign 
intelligence, counterintelligence, or counter terrorism 
investigation; 

• An assessment of or response to criminal threats and 
vulnerabilities; 

• The existence, organizations, capabilities, plans, 
intentions, vulnerabilities, means, methods, or activities of 
individuals or groups involved or suspected of involvement 
in criminal or unlawful conduct or assisting or associated 
with criminal or unlawful conduct; 

• The existence, identification, detection, prevention, 
interdiction, or disruption of, or response to criminal acts 
and violations of the law; 

• Identification, apprehension, prosecution, release, 
detention, adjudication, supervision, or rehabilitation of 
accused persons or criminal offenders; or 

• Victim/witness assistance. 

Data quality - the accuracy, timeliness, relevance, and completeness of 
information about individuals. 

Data security - means physical, technical, and administrative measures 
used to safeguard protected information from unauthorized access, 
modification, use, disclosure, or destruction as defined in the ISE Privacy 
Guidelines and 12 FAM 091 under "Information Security." 

Information Sharing Environment (ISE) - an approach that facilitates 
the sharing of terrorism and homeland security information. The ISE was 
established by the Intelligence Reform and Terrorism Prevention Act of 
2004 (IRTPA), and its definition was amended by The Implementing 
Recommendations of the 9/11 Commission Act of 2007. 

Protected information - information about U.S. citizens and lawful 

permanent residents that is subject to information privacy or other legal 
protections under the U.S. Constitution and Federal laws of the United 
States. It is anticipated that, in most cases, protections will focus on PII 
(as defined in 5 FAM 460) about U.S. citizens and lawful permanent 
residents. 

Redress - under these Guidelines means the policies and procedures 
established by the Department of State for addressing complaints about 
privacy, civil liberties, and/or civil rights arising from the sharing of 
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protected information within the ISE. 

Routine use - the use, sharing, or disclosure of protected information for a 
purpose compatible with the purpose for which the information was 
collected. 

Terrorism-related information - terrorism information, identified as 
"terrorism-related information" throughout this policy, is defined by 
Section 1016(a)(5), IRTPA, as amended: 

(1) The existence, organization, capabilities, plans, intentions, 
vulnerabilities, means of finance or material support, or activities of 
foreign or international terrorist groups or individuals, or of 
domestic groups or individuals involved in transnational terrorism; 

(2) Threats posed by such groups or individuals to the United States, 
U.S. persons, or U.S. interests, or to those of other nations; 

(3) Communications of or by such groups or individuals; 

(4) Groups or individuals reasonably believed to be assisting or 
associated with such groups or individuals; and 

(5) Weapons of mass destruction information. 

Note: The "terrorism information" definition reflects the recent addition 
of "weapons of mass destruction information" incorporated by the 
Implementing Recommendations of the 9/11 Commission Act of 2007. 

U.S. person - as defined in the Privacy Act of 1974 as an "individual," 
meaning "a citizen of the United States or an alien lawfully admitted for 
permanent residence." 

Non-U. S. person - any person who falls outside the definition of 
"individual" as defined in the Privacy Act of 1974. 

Weapons of mass destruction information - The term weapons of mass 
destruction information, defined in Section 1016(a)(6), IRTPA, means 
information that could reasonably be expected to assist in the 
development, proliferation, or use of a weapon of mass destruction 
(including a chemical, biological, radiological, or nuclear weapon) that 
could be used by a terrorist or a terrorist organization against the United 
States, including information about the location of any stockpile of 
nuclear materials that could be exploited for use in such a weapon that 
could be used by a terrorist or a terrorist organization against the United 
States. 

5 FAM 763.2 Roles and Responsibilities 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 
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a. Secretary of State: The roles and responsibilities of Federal agencies 
within the ISE are defined in the IRTPA and E.O. 12333. Within the ISE 
structure, the Secretary of State is specifically responsible for: (a) the 
collection (overtly or through public sources) of information relevant to 
U.S. foreign policy and national security; (b) the dissemination of reports 
received from U.S. diplomatic and consular posts; (c) the transmission of 
reporting requirements and taskings of the intelligence community to 
Chiefs of U.S. Missions abroad; and (d) the support of Chiefs of U.S. 
Missions in discharging their responsibilities under law and Presidential 
direction. 

b. Senior Agency Official for Privacy: The Assistant Secretary for 
Administration serves as the Senior Agency Official for Privacy (SAOP) 
and is responsible for overseeing, coordinating, and facilitating the 
Department's compliance with privacy policy, as mandated by Federal 
legislation, and the Office of Management and Budget (OMB), as applied 
in 1 FAM 211.2 and 5 FAM 464. As the SAOP, the Assistant Secretary for 
Administration also chairs the Privacy Protection Governance Board 
(PPGB) and serves as the Department's ISE Privacy Official. 

c. Privacy Protection Governance Board (PPGB): The PPGB is a 
Department of State internal working body that addresses issues relating 
to PII from a Department-wide perspective and ensures the Department's 
ability to respond to privacy-related White House directives, executive 
orders, and other authorities in a unified and timely manner. 

d. Core Response Group: The PPGB has established the Core Response 
Group (CRG), pursuant to OMB and Presidential recommendation, to act 
promptly and appropriately in the event of a data breach involving PII. In 
the event of a suspected or confirmed data breach involving PII, the CRG 
will assist the relevant bureau or office with the development and 
implementation of an appropriate response to the breach incident. 

e. The Privacy Division (A/GIS/IPS/PRV): The Privacy Division serves 
as the Department's steward of the E-Government Act of 2002, as well as 
executive orders, OMB directives, and Department policies that protect 
the collection, use, and disclosure of PII (see 1 FAM 214.2, Office of 
Information Programs and Services (A/GIS/IPS)). The Privacy Division 
identifies all Department of State records systems from which information 
is retrieved by the name or personal identifier of an individual and 
publishes a system of records notice (SORN) for these record systems in 
the Federal Register. A/GIS/IPS/PRV also conducts privacy impact 
assessments (PIAs) for the Department's electronic information 
collections and information technology systems that contain PII in order 
to assess potential risk and determine ways to mitigate such risk (see 5 
FAM 611). Within the ISE, the Privacy Division is responsible for 
coordinating and disseminating ISE requirements concerning privacy and 
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coordinating implementation of these requirements within the 
Department. 

f. Bureau of Information Resource Management (IRM): The Bureau 
of Information Resource Management is responsible for the Department's 
data and information systems domestically and abroad. IRM's range of 
responsibilities includes data sharing, data quality, information systems 
development, internet and intranet use, and, in accordance with IRM and 
Bureau of Diplomatic Security (DS) guidelines, the integrity and security 
of data and information systems (5 FAM 800). 

g. Bureau of Diplomatic Security: The Directorate of Threat 
Investigations and Analysis (DS/TIA) is the primary focal point for all 
threat investigations, analysis, and dissemination. TIA is comprised of the 
Offices of Intelligence and Threat Analysis (DS/TIA/ITA), the Diplomatic 
Security Command Center (DS/TIA/CC), the Overseas Security Advisory 
Council (DS/TIA/OSAC), and Protective Intelligence and Investigations 
(DS/TIA/PII), which includes the Rewards for Justice Program 
(DS/TIA/PII/RFJ). Additionally, the Security Infrastructure Directorate 
(DS/SI) supports the ISE initiatives mandated by the IRTPA, as amended. 
DS/SI policy analysts participate in numerous ISE working groups and 
initiatives (1 FAM 262). 

h. ISE Working Group: The Department of State's internal ISE working 
group (ISEWG) is chaired by the Department's senior official responsible 
for implementing ISE mandates and composed of representation from 
relevant bureaus involved with or participating in the sharing of 
terrorism-related information. 

i. Office of the Legal Adviser (L): The office of the Legal Adviser 
furnishes advice on all legal issues, domestic and international, arising in 
the course of the Department's work. 

j. Department ISE Privacy Official: The Senior Agency Official for 
Privacy (SAOP) serves as the Department of State ISE Privacy Official. 
The ISE Privacy Official is the Department of State's senior official with 
overall agency-wide responsibility for information privacy issues (as 
designated by statute or executive order, or as otherwise identified in 
response to OMB Memorandum M-05-08 dated February 11, 2005). The 
ISE Privacy Official directly oversees the agency's implementation of and 
compliance with the ISE Privacy Guidelines. The ISE Privacy Official is 
responsible for ensuring that: 

(1) The agency's policies, procedures, and systems are appropriately 
designed and executed in compliance with the ISE Privacy 
Guidelines, and 

(2) Changes are made as necessary. 

k. Department Senior Official for the ISE: The Department's 
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representative at interagency meetings where ISE policies are discussed 
and developed. This senior official is responsible for managing the 
Department's ISE efforts. 

I. Department ISE Standing Committee: A Deputy Assistant Secretary 
(DAS) level standing committee that communicates ISE developments 
across the Department, proposes ISE-driven Department policies, and 
recommends how the Department should prioritize ISE-related funding 
priorities. This Committee is chaired by the Department's Senior Official 
for the ISE. 

m.ISE Privacy Guidelines Committee: The ISE Privacy Guidelines 

Committee will be chaired by the Program Manager (PM-ISE) or a senior 
official designated by the PM-ISE, and will consist of privacy officials from 
agencies involved in the ISE. The ISE Privacy Guidelines Committee 
should request legal or policy guidance on questions relating to the 
implementation of these Guidelines from those agencies having 
responsibility or authorities for issuing guidance on such questions; any 
such requested guidance must be provided promptly by the appropriate 
agencies. 

n. System Owner: The system owner is the owner of a locally developed 
information system at the post or bureau level. Domestically, the system 
owner is the bureau-designated senior executive responsible for the 
system. Abroad, the system owner is the Charge, Deputy Chief of 
Mission, Consul General, Principal Officer or equivalent, or the bureau- 
designated senior executive responsible for the system. The system 
owner is responsible for performance, privacy, and security issues for the 
system throughout its lifecycle (see 5 FAM 825). 

5 FAM 763.3 Protected Information 

5 FAM 763.3-1 Identification of Protected Information to 
be shared through the ISE 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. Protected information that may be shared with another Federal agency, a 
State, local, or tribal agency, with the private sector, or a foreign partner 
is subject to three basic requirements: 

(1) Identification; 

(2) Prior review; and 

(3) Notification. 

These requirements will enable ISE participants to handle the shared 
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information in accordance with applicable legal requirements. 

Identification and Prior Review. To meet these requirements the 
Department's Senior Official for the ISE, working with IRM and 
Department system owners, must identify those data holdings that 
contain protected information that may be shared within the ISE and 
develop reasonable procedures to ensure that the information has been 
reviewed before it is shared. System owners are responsible for reviewing 
their own information, in conjunction with the Department's Senior 
Official for the ISE, and consulting compliance documents provided by 
IRM and the ISE Privacy Official. The review and the ISE notification will 
allow ISE participants to determine whether: 

(1) The information pertains to a U.S. citizen or lawful permanent 
resident; 

(2) There are limitations on the reliability or accuracy of the 
information; 

(3) The information is subject to specific privacy or other restrictions on 
access, use, or disclosure, and if so, the nature of such restrictions; 
and 

(4) The SORN and Privacy Impact Assessment (PIA) programs in the 
Privacy Division meet the requirements for identification and prior 
review and constitute the basic source for the information required 
for an ISE notification. (See 5 FAM 460.) Based on SORN/PIA data, 
the ISE Privacy Official will prepare an ISE notification, addressing 
items (1) through (3) above when an ISE request is made for 
protected information in the Department's shared system list. 

Notice - In accordance with existing regulations or any regulations 
established in the future, the Department of State will give notice of the 
nature of the individual records, data, databases, or Systems of Records 
which it creates, maintains, or makes available to other agencies through 
the ISE by providing a header, cover sheet, electronic caption, or 
appropriate portion mark, which must State if the information provided: 

(1) Contains protected information pertaining to a U.S. person, a non- 
U.S. person protected by treaty or international agreement, or a 
person/organization whose U.S. person status is undetermined; or 

(2) Is subject to legal restrictions on its access, use, or disclosure, 
describing the restriction and the pertinent law, regulation, or 
policy; or 

(3) Is generally reliable and accurate, and if not, describing the reason 
for limited confidence in source reliability or content validity (e.g., 
notice from previous recipient of the data, independent review, or 
inconsistency with other data). 
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c Offices within the Department of State must provide point of contact 
information to A/GIS/IPS/PRV for reports/records/data/systems they 
have been disseminating in the ISE. Such information must include, at a 
minimum, the name of the originating department, component, or 
subcomponent and the title and contact information for the person to 
whom questions regarding the information should be directed. 

5 FAM 763.3-2 Compliance with Laws 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

In compliance with the development and use of the ISE, the Department of 
State must, without exception, comply with the U.S. Constitution and all 
applicable laws and executive orders relating to protected information. 

5 FAM 763.3-3 Rules Assessment 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. Prior to entering into information sharing agreements, system owners will 
follow the review procedures for data holdings identified under 5 FAM 
775.1 as containing protected information. System owners must notify 
the Department's Senior Official for the ISE, A/GIS/IPS/PRV, and the 
Office of the Legal Adviser (L) if any information sharing agreements 
identify: 

(1) An issue that poses a significant risk to information privacy rights or 
other legal protections; or 

(2) A restriction on sharing privacy-protected information imposed by 
internal Department of State policy that significantly impedes the 
sharing of terrorism, homeland security, or law enforcement 
information in a manner that does not appear to be required by 
applicable laws or to protect information privacy rights or provide 
other legal protections; or 

(3) A restriction on sharing privacy-protected information, other than 
one imposed by internal Department of State policy, that 
significantly impedes the sharing of information in a manner that 
does not appear to be required to protect information privacy rights 
or provide other legal protections. 

b. Upon receipt and validation of this information, A/GIS/IPS/PRV, in 
coordination with the Office of the Legal Adviser, must review such 
impediments with the Department's ISE Standing Committee. If 
appropriate internal resolution cannot be developed, the ISE Standing 
Committee must review such restriction with the ISE Privacy Guidelines 
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Committee. If an appropriate resolution is still not developed, the 
Standing Committee must bring the restriction to the attention of the 
Attorney General and the Director of National Intelligence, through the 
Secretary of State. The Attorney General, DNI, and the Secretary of State 
must review any such restriction and jointly submit any recommendations 
for changes to the Assistant to the President for Homeland Security and 
Counterterrorism, the Assistant to the President for National Security 
Affairs, and the Director of the Office of Management and Budget for 
further review. 

5 FAM 763.3-4 Non-Federal Entities 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

The Department of State will work with non-Federal entities seeking access 
to protected information through the ISE and ensure that such non-Federal 
entities have appropriate policies and procedures that provide protections at 
least as comprehensive as this FAM chapter prior to sharing protected 
information. 

5 FAM 763.4 Data Quality 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. Privacy Act policies aimed at preventing errors in protected information 
are set forth in 5 FAM 462 and in frequent reminders to employees 
through Department Notices. A/GIS/IPS/PRV also works closely with 
system owners to develop and update SORNs and PIAs in tandem with a 
system's Certification and Accreditation every three years. Renewed 
emphasis on these programs improves the quality of the data collected 
and stimulates awareness of PII in State Department records and 
systems. 

b. Accuracy - Bureaus that engage in information collection must ensure 
that protected information meets the standards of accuracy, 
completeness, and consistency required to further the purpose(s) for 
which the information is collected and used (see 5 FAM 630 on Data 
Management). Quality checks are conducted against the submitted 
documentation at every stage, and administrative policies must be 
established to minimize instances of inaccurate data (see generally, 7 
FAM 1300, Passport Services, and specifically 7 FAM 1320, Identity of the 
Passport Applicant (SBU)). 

c. Notice of Errors - If the Department of State engages in the matching 
or merging of protected information about an individual from two or more 
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sources, the Department must ensure the following actions occur: 

(1) The merged/matched records relate to the same individual; 

(2) Data errors, inconsistencies and deficiencies are investigated in a 
timely manner and corrected or deleted; 

(3) Data that is outdated or not pertinent to the purpose of the 
collection is updated or deleted in a timely manner; 

(4) Data that is pending correction, updating, or deletion is marked 
indicating this status; and 

d. In the event the Department determines that protected information 
originating from another agency may be erroneous, includes incorrectly 
merged information, or lacks adequate context such that the rights of the 
individual may be affected, the following actions will occur: 

(1) The potential error or deficiency must be communicated in writing 
to the Department of State Senior Agency Official for Privacy 
(SAOP) as well as to the other agency's POC for that information or 
its ISE Privacy Official; and 

(2) The communication must include information that clarifies, limits, 
contradicts, or qualifies the information deemed to be erroneous or 
deficient. 

(3) The Department must withhold from disclosure or access any 
potentially erroneous protected information originating from 
another agency until a review is conducted by the originating 
agency, and this information can be updated and corrected or 
deleted entirely. 

e. In the event the Department determines that protected information 
originating within the Department and shared with the ISE community is 
or may be erroneous and knows or has reason to believe (based on logs 
or other audit function) that the information was accessed by another 
agency, the originating Bureau must take the following steps: 

(1) Provide written notice to the Department of State SAOP of the error 
or suspected error, to include an assessment of the extent to which 
the protected information has been disseminated; to the extent 
they can be identified, notify recipients of the information of the 
errors or possible errors, including information that clarifies, limits, 
contradicts, or qualifies the information deemed to be erroneous or 
deficient; and 

(2) Correct or delete the erroneous information or, when appropriate, 
delete the entire report. When it is not certain that the protected 
information is erroneous, delete the report in its entirety or note 
known limitations on accuracy in the data field containing the 
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protected information. 

f. Any Department of State bureau that shares protected information either 
erroneously and/or in a manner inconsistent with this instruction must 
immediately rescind this information by contacting all recipients of the 
information and request immediate destruction of all copies of the 
information, whether electronic or physical (5 FAM 430 and 5 FAM 460). 

5 FAM 763.5 Data Securities 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. It is the policy of the Department of State to establish and maintain an 
effective automated information system (AIS) security program for the 
protection of Department information (see 12 FAM 600). This mission of 
data security within the Department of State is shared by the Bureau of 
Diplomatic Security (see 1 FAM 266.2, Office of Computer Security 
(DS/SI/CS), 1 FAM 266.1, the Office of Information Security (DS/SI/IS), 
and the Bureau of Information Resource Management (see 1 FAM 275.2, 
Information Technology Infrastructure Office (IRM/OPS/ITI) and 5 FAM 
1060, Information Assurance (IRM/IA)). These bureaus are responsible 
for the administration and management of the information security 
program for the Department of State, domestically and abroad, and for 
other Federal agencies under the authority of a chief of mission or 
principal officer as defined in this section. The policies and procedures 
that address breaches involving protected information collected, 
processed, or maintained by the Department are set forth in 5 FAM 467, 
Breach Response Policy. All Department of State employees and 
contractors are responsible for knowing, understanding, and following 
these policies and procedures, including the requirement to promptly 
report any suspected breach of PII. All employees and contractors with 
access to PII in the performance of their official duties are also 
responsible for following the Rules of Behavior for Protecting PII set forth 
in 5 FAM 469. The possible penalties for failure to follow these policies 
and procedures are described in 5 FAM 469.6, Consequences for Failure 
to Safeguard Personally Identifiable Information (PII). 

b. The combined information security policies and procedures of DS and IRM 
ensure the use of appropriate physical, technical, and administrative 
measures to safeguard protected information shared through the ISE. 
These measures protect against the unauthorized access, disclosure, 
modification, use, or destruction of information and maintain the overall 
data security of the Department. 

5 FAM 763.6 Accountability, Enforcement, and 
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Audit 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. The ISE Privacy Official is responsible for coordinating ISE-related audits 
or reviews within the Department and for developing and promoting "best 
practices" and business process changes that enhance privacy protections 
of protected information. The Privacy Division will also incorporate 
training in the development and use of ISE in its existing and future 
training programs. 

b. The Bureau of Information Resource Management is responsible for 
incorporating PII protection and privacy-enhancing technologies into the 
design, development, and acquisition of new information systems and 
into the operation of existing systems. 

c. All Department of State bureaus, which participate in the sharing of 
information, are responsible for cooperating with all ISE protected 
information audits and reviews conducted by officials. 

5 FAM 763.7 Redress 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. Any U.S. person who believes that their protected information may have 
been inappropriately shared or received by the Department of State in 
violation of applicable law, policy, or Executive Order may file a complaint 
per guidance described in the Department of State Information Access 
Guide/Manual. 

b. U.S. persons, when applicable, can file for Privacy Act redress through a 
"Privacy Act Request" submitted to A/GIS/IPS. They can also request 
amendment of records about themselves that are not accurate, timely, 
relevant, or complete through a request for amendment to A/GIS/IPS. 
This information and additional guidance are available on the 
Department's public and internal websites under "Privacy." A/GIS/IPS 
processes the requests for data changes in coordination with the Bureau 
of Information Resource Management. 

5 FAM 763.8 Execution, Training, and Technology 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

a. Execution - the ISE Privacy Official is responsible for ensuring that 
privacy protections dictated by this FAM chapter are implemented as 
appropriate through training, business process changes, and system 
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designs. The ISE Privacy Official will coordinate with DS and IRM to 
ensure that these safeguards are maintained and updated. 

b. Training - Training is a critical component of the ISE effort. The Foreign 
Service Institute (FSI/EX/REG) has created an online "core" training 
program. "Core" training will provide a common understanding of the ISE 
and so must be the same for all Federal departments and agencies. This 
training will also serve as guidance and a model for State, local, and tribal 
Government and private sector officials. This Information Sharing 
Environment course serves as the "core" training course and contains the 
following objectives: 

(1) Examine the importance of sharing terrorism information; 

(2) Describe how Congress and the President have mandated expanded 
access to terrorism-related information through the ISE, while 
maintaining and increasing information security and protecting 
privacy and civil liberties; 

(3) Recognize that there are key interagency and inter-Governmental 
efforts underway to promote information sharing across U.S. 
Government agencies; promote information sharing activities; and 

(4) Serve as core training for all U.S. Department of State direct hire 
employees who are charged with sharing terrorism-related 
information or supporting such sharing. 

c. Technology - As privacy-enhancing technologies arise, the Department 
will consider them in light of their effect on the privacy protections 
required by the ISE. When reasonably feasible and appropriate, the 
Department will implement new privacy-enhancing technologies. 

5 FAM 763.9 Awareness 

(CT:IM-121; 10-14-2011) 
(Office of Origin: A/GIS/IPS/PRV) 

The Privacy Division should make publicly available information regarding 
procedures for complaints implicating protected information shared in the 
ISE, to include the following: 

(1) An explanation of the nature of the complaints accepted; 

(2) The point of contact/ address for filing a complaint; and 

(3) The redress available. 

5 FAM 764 THROUGH 769 UNASSIGNED 

(CT:IM-121; 10-14-2011) 
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